Change phpseclib dependency to 3.0.*, include composer.lock, explain …

…this in README WE2-876 Signed-off-by: Mart Somermaa <[email protected]>
web-eid · Mar 8, 2024 · 37447cd · 37447cd
1 parent a8cdadc
commit 37447cd
Show file tree

Hide file tree

Showing 4 changed files with 1,900 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
-composer.lock
 .phpunit.result.cache
 .phpunit.cache/
 vendor

diff --git a/README.md b/README.md
@@ -150,6 +150,27 @@ try {
 }
 ```
 
+# PHPSeclib versioning policy
+
+Starting from version 1.1.0 we adopt a flexible versioning policy for
+`phpseclib` and specify the dependency as `3.0.*`. This approach allows our
+library integrators to quickly incorporate security patches and minor updates
+from `phpseclib`.
+
+## Why we include `composer.lock`
+
+While it is common practice for applications to include a `composer.lock` file
+to lock down the specific versions of dependencies used, this is less common
+for libraries. However, we have chosen to include `composer.lock` in our
+repository to clearly indicate the exact versions of dependencies we have
+tested against.
+
+Although our library is designed to work with any minor version of `phpseclib`
+within the specified range, the `composer.lock` file ensures that integrators
+are aware of the specific version we consider stable and secure. The provided
+`composer.lock` is intended to be used as a reference, not a strict
+requirement.
+
 # Code formatting
 
 We are using `Prettier` for code formatting. To install Prettier, use following command:

diff --git a/composer.json b/composer.json
@@ -27,7 +27,7 @@
         }
     },
     "require": {
-        "phpseclib/phpseclib": "3.0.37"
+        "phpseclib/phpseclib": "3.0.*"
     },
     "scripts": {
         "fix-php": [